Nov 13 2017 08:16 AM
We have a set AAD Group that can create O365 Groups and a process to request Groups to be created.
However, we also have a set of users around the globe that are Exchange Admins (not global admins). One of these users can create O365 Groups - specifically from Power BI.
Is this supposed to be happening, or does Power BI not respect the group creation rules?
Nov 13 2017 10:48 AM
Yes, the restrictions don't apply to admin roles.
Nov 13 2017 11:06 AM
Nov 14 2017 05:20 AM
Nov 14 2017 09:53 AM
So maybe only the Global admin roles bypass the restrictions, and the workload-specific ones are still subject to them? With PowerBI being a straggler, as usual.
Nov 14 2017 11:30 AM
Nov 15 2017 12:09 AM
Um, that shouldn't be the case, admins should still be able to use the relevant admin controls to create/manage Groups.
Do you perhaps mean that this happens when they try to create a Group form within Outlook/OWA/any of the "client" endpoints? If so I believe this is the expected behavior, however the admin portal/PowerShell/etc should still allow admins to create new groups.
Just to make sure we're on the same page I dug out the documentation:
The steps in this article don't prevent members of the following roles from creating Office 365 Groups in the Office 365 admin center. However, it does prevent them from creating Office 365 Groups from the apps and it prevents them from creating teams (because you can't create teams in the Office 365 admin center).
Office 365 Global admins
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Directory Writers
If you're a member of one of these roles, you can create Office 365 Groups for restricted users, and then assign the user as the owner of the group.
Nov 15 2017 05:08 AM
Nov 29 2017 02:57 PM
The rules of the game are that admins can create Groups using admin interfaces like EAC, Office 365 Admin Center, or PowerShell. If the policy doesn't allow them to create groups, they will be blocked if they try using an end-user client.
As to Power BI (or any client), it must include code to query the Groups policy to know who can create new groups. AFAIK, Power BI has not done the work to include the code.